Tuesday, October 13, 2009

Operational risks are those associated with the failure of systems, people or processes, or that result from the impact of external events. Therefore it is clear that businesses have always managed operational risk. They have taken steps to prevent theft and fraud and have introduced checks and balances to pick up the basic human errors that beset all businesses. Since computers have become a commonplace of business life, we have created a dizzying array of passwords, firewalls and encryption methodologies to ensure that our data remain secure, and we have insured our business assets against fire, theft, flood, earthquake and other natural disasters. All of these actions are designed to protect us against the adverse impact of operational risk. On the whole, however, firms have not found it necessary to model or seek to quantify operational risk exposures. They have identified and ranked risks in relative terms as being high, medium or low risks, but have not sought to apply a financial value to such exposures. For financial institutions this situation changed with the advent of Basel II, the name commonly applied to the guidance provided by the Committee for Banking Supervision of the Bank for International Settlements on the appropriate level of capital that internationally active banks should set aside to protect themselves against risk. Under the previous system (commonly referred to as Basel I), capital was set aside to cover credit risk (on the basis of a set amount to be held against money lent regardless of the quality of the borrower) and market risk. Basel II, however, seeks to create a risk-sensitive, forward-looking capital adequacy assessment that will assess levels of credit, market and, for the first time, operational risk that are present in the bank concerned and assign capital based on these levels of risk.The Committee sets out the methodologies that banks should use to calculate their exposure to operational risk.1 At the most basic level, capital is calculated by using a proxy (average net interest income plus average net non-interest income over the previous three years) and multiplying this value by a risk factor designed to be indicative of the level of operational risk in the market. Such methods involve no risk analysis but merely provide a number for capital adequacy purposes. The road is, however, open for more ambitious institutions to opt for the Advanced Measurement Approach and develop a modelled approach to the quantification of operational risk.The motivation for a bank to model operational risk exposures has therefore originated through regulatory imperative, but the process has commercial benefits that flow across industry and business sectors and stretch beyond the regulated financial services sector. Let us say, for example, that we detect a flaw in a system and process that exposes us to loss and we believe the risk to be ‘high’. However, the event has yet to produce a tangible loss. We want to avoid such a loss, but how will we be able to build a business case to support the level of expenditure we need to correct the flaw? Those responsible for the company purse strings are unlikely to be swayed by a red traffic light in a risk report when asked to release a possibly significant sum to resolve the flaw. It is useful in such cases to be able to indicate a monetary scale for the potential risk so that a proper cost–benefit analysis can be carried out. To produce this estimate of exposure we will need to develop an operational risk model